diff --git a/mail/.config/isync/mbsyncrc b/mail/.config/isync/mbsyncrc
index d6da236..cba9b9a 100644
--- a/mail/.config/isync/mbsyncrc
+++ b/mail/.config/isync/mbsyncrc
@@ -3,8 +3,8 @@
 IMAPAccount gmail
 # Address to connect to
 Host imap.gmail.com
-UserCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | grep username | cut -d: -f2"
-PassCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | head -n1"
+UserCmd "pass show misc/aerc-gmail-app-password | grep username | cut -d: -f2"
+PassCmd "pass show misc/aerc-gmail-app-password | head -n1"
 # To store the password in an encrypted file use PassCmd instead of Pass
 # PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d ~/.mailpass.gpg"
 #
diff --git a/mail/.local/bin/mail-check b/mail/.local/bin/mail-check
index c7b7577..098052b 100755
--- a/mail/.local/bin/mail-check
+++ b/mail/.local/bin/mail-check
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 #
 # Runs mbsync, with pre-hooks and post-hooks
 # by default, the pre-hook first runs imapfilter
@@ -38,7 +38,9 @@
 # MBSYNC_NOTIFY=1
 # MBSYNC_PASSWORD_FILE="/path/to/gpg/file.gpg"
 
-PASSWORD_FILE="${MBSYNC_PASSWORD_FILE:-$HOME/.local/share/pass/misc/aerc-gmail-app-password.gpg}"
+# What to run before and after decrypting the password file.
+PASSWORD_CMD="pass open -t 1min"
+# POST_PASSWORD_CMD=""
 
 prehook() {
     if [ -n "$MBSYNC_PRE" ]; then
@@ -83,7 +85,7 @@ checkonline() {
 # warn user that he has to enter his password in a moment
 # to stop catching him offguard or entering something by accident
 checkwarnuser() {
-    agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode cancel "$PASSWORD_FILE" 2>&1)
+    enablegpgagent
     if echo "$agt" | grep -qE 'No secret key'; then
         notify "Mail" "Password phrase needed!"
         sleep 2.5
@@ -91,10 +93,22 @@ checkwarnuser() {
 }
 
 enablegpgagent() {
-    ## get password from user
-    agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask "$PASSWORD_FILE" 2>&1)
+    [ -n "$agt" ] && return
+
+    if [ -n "$PASSWORD_CMD" ]; then
+        IFS=" " read -r -a PASSWORD_CMD <<<"$PASSWORD_CMD"
+        # shellcheck disable=SC2068
+        agt=$(${PASSWORD_CMD[@]})
+    fi
+
+    if [ -n "$POST_PASSWORD_CMD" ]; then
+        IFS=" " read -r -a POST_PASSWORD_CMD <<<"$POST_PASSWORD_CMD"
+        "${POST_PASSWORD_CMD[@]}"
+    fi
+
     ## exit program after first failed attempt
-    if echo "$agt" | grep -qE 'decryption failed'; then
+    if echo "$agt" | grep -qE 'decryption failed' ||
+        echo "$agt" | grep -qE 'No such file'; then
         notify "Mail" "Process aborted."
         exit 1
     fi